[arch-projects] [RFC 00/23] Encrypted volume work
dgbaley27 at 0x01b.net
Fri May 18 12:21:54 EDT 2012
From: Matthew Monaco <matthew.monaco at 0x01b.net>
I worked with Dave and Tom this past weekend to clean up and enhance
encrypted volume handling. There are quite a few "patches" here, and
more to come against initscripts. All of this fixes a handful of bugs,
adds new features, does some refactoring.
In summary, I wrote a new package called 'cryptmount.' The intention is
for it to depend on cryptsetup and to provide the encrypt hooks for
mkinitcpio. Additionally initscripts will depend on cryptmount
(optdepends will work too).
The cryptmount code is here  and the initscripts changes are here
There are a few goals:
1) Use the same code for the mkinitcpio encrypt hook and initscripts.
2) Allow for interoperability with systemd's crypttab format.
This is accomplished without any forced changes on the user (with the
exception of plaintext passwords in crypttab).
3) Allow the random seed to be restored before doing things like setting
up a swap volume which uses /dev/urandom as a password.
4) If possible, allow for encrypted /usr from the initrd. This depends
on Dave's working branch of mkinitcpio which provides late hooks (and
*5*) Do not drop support for current configurations. This is important.
The only thing that is dropped is storing a plain text password in
crypttab. Whether your options line in crypttab is literally for
cryptsetup (--size=100 --cipher=...) or a comma separated list
(size=100,cipher=...), your configuration will be supported.
That said, if you see any holes in this statement, please let me know
and I will address it.
This addresses the following bugs, there may be more, and you may
question that it does for some of these:
FS#17131 - Restore random seed before using decryption
FS#24700 - Allow UUID for cryptdevice
In addition we support UUID,PARTUUID,LABEL for both the
encrypted device AND the passphrase if it is on an external
FS#27137 - I think a dup of the above.
FS#23182 - Multiple device support for the initrd
The encrypt hook included supports root, /usr, and an
arbitrary number of encrypted mappings.
FS#15738 - More or less similar to above
FS#21936 - Don't immediately revert to interactive pw if key device is
All devices are resolved and waited on IFF udevd is running.
This goes for the initrd and rc.sysinit.
FS#21198 - Mount key devices if needed.
This is done whenever the key is a file on another device and
that device is not already mounted.
FS#21513 - Provide a man page for crypttab.
I wrote one and for cryptmount.
I have been testing this for the past week, but I'm sure there are some
bugs. Please report any problems you see (or experience if you are able
to test). Also, if you see an opportunity for improvements in
efficiency, cleanup, or additional functionality, let me know.
More information about the arch-projects